Add workspace network policy and published ports

Replace the workspace-level boolean network toggle with explicit network policies and attach localhost TCP publication to workspace services.

Persist network_policy in workspace records, validate --publish requests, and run host-side proxy helpers that follow the service lifecycle so published ports are cleaned up on failure, stop, reset, and delete.

Update the CLI, SDK, MCP contract, docs, roadmap, and examples for the new policy model, add coverage for the proxy and manager edge cases, and validate with uv lock, UV_CACHE_DIR=.uv-cache make check, UV_CACHE_DIR=.uv-cache make dist-check, and a real guest-backed published-port probe smoke.

README.md

@@ -20,7 +20,7 @@ It exposes the same runtime in three public forms:
 - First run transcript: [docs/first-run.md](docs/first-run.md)
 - Terminal walkthrough GIF: [docs/assets/first-run.gif](docs/assets/first-run.gif)
 - PyPI package: [pypi.org/project/pyro-mcp](https://pypi.org/project/pyro-mcp/)
-- What's new in 2.9.0: [CHANGELOG.md#290](CHANGELOG.md#290)
+- What's new in 2.10.0: [CHANGELOG.md#2100](CHANGELOG.md#2100)
 - Host requirements: [docs/host-requirements.md](docs/host-requirements.md)
 - Integration targets: [docs/integrations.md](docs/integrations.md)
 - Public contract: [docs/public-contract.md](docs/public-contract.md)
@@ -57,7 +57,7 @@ What success looks like:
 ```bash
 Platform: linux-x86_64
 Runtime: PASS
-Catalog version: 2.9.0
+Catalog version: 2.10.0
 ...
 [pull] phase=install environment=debian:12
 [pull] phase=ready environment=debian:12
@@ -78,6 +78,7 @@ After the quickstart works:
 - prove the full one-shot lifecycle with `uvx --from pyro-mcp pyro demo`
 - create a persistent workspace with `uvx --from pyro-mcp pyro workspace create debian:12 --seed-path ./repo`
 - update a live workspace from the host with `uvx --from pyro-mcp pyro workspace sync push WORKSPACE_ID ./changes`
+- enable outbound guest networking for one workspace with `uvx --from pyro-mcp pyro workspace create debian:12 --network-policy egress`
 - add literal or file-backed secrets with `uvx --from pyro-mcp pyro workspace create debian:12 --secret API_TOKEN=expected --secret-file PIP_TOKEN=./token.txt`
 - map one persisted secret into one exec, shell, or service call with `--secret-env API_TOKEN`
 - diff the live workspace against its create-time baseline with `uvx --from pyro-mcp pyro workspace diff WORKSPACE_ID`
@@ -86,6 +87,7 @@ After the quickstart works:
 - export a changed file or directory with `uvx --from pyro-mcp pyro workspace export WORKSPACE_ID note.txt --output ./note.txt`
 - open a persistent interactive shell with `uvx --from pyro-mcp pyro workspace shell open WORKSPACE_ID`
 - start long-running workspace services with `uvx --from pyro-mcp pyro workspace service start WORKSPACE_ID app --ready-file .ready -- sh -lc 'touch .ready && while true; do sleep 60; done'`
+- publish one guest service port to the host with `uvx --from pyro-mcp pyro workspace create debian:12 --network-policy egress+published-ports` and `uvx --from pyro-mcp pyro workspace service start WORKSPACE_ID app --ready-http http://127.0.0.1:8080/ --publish 18080:8080 -- ./start-app`
 - move to Python or MCP via [docs/integrations.md](docs/integrations.md)
 
 ## Supported Hosts
@@ -139,7 +141,7 @@ uvx --from pyro-mcp pyro env list
 Expected output:
 
 ```bash
-Catalog version: 2.9.0
+Catalog version: 2.10.0
 debian:12 [installed|not installed] Debian 12 environment with Git preinstalled for common agent workflows.
 debian:12-base [installed|not installed] Minimal Debian 12 environment for shell and core Unix tooling.
 debian:12-build [installed|not installed] Debian 12 environment with Git and common build tools preinstalled.
@@ -215,7 +217,9 @@ longer-term interaction model.
 
 ```bash
 pyro workspace create debian:12 --seed-path ./repo
+pyro workspace create debian:12 --network-policy egress
 pyro workspace create debian:12 --seed-path ./repo --secret API_TOKEN=expected
+pyro workspace create debian:12 --network-policy egress+published-ports
 pyro workspace sync push WORKSPACE_ID ./changes --dest src
 pyro workspace exec WORKSPACE_ID -- cat src/note.txt
 pyro workspace exec WORKSPACE_ID --secret-env API_TOKEN -- sh -lc 'test "$API_TOKEN" = "expected"'
@@ -230,6 +234,7 @@ pyro workspace shell read WORKSPACE_ID SHELL_ID
 pyro workspace shell close WORKSPACE_ID SHELL_ID
 pyro workspace service start WORKSPACE_ID web --secret-env API_TOKEN --ready-file .web-ready -- sh -lc 'touch .web-ready && while true; do sleep 60; done'
 pyro workspace service start WORKSPACE_ID worker --ready-file .worker-ready -- sh -lc 'touch .worker-ready && while true; do sleep 60; done'
+pyro workspace service start WORKSPACE_ID app --ready-http http://127.0.0.1:8080/ --publish 18080:8080 -- ./start-app
 pyro workspace service list WORKSPACE_ID
 pyro workspace service status WORKSPACE_ID web
 pyro workspace service logs WORKSPACE_ID web --tail-lines 50
@@ -243,7 +248,7 @@ Persistent workspaces start in `/workspace` and keep command history until you d
 machine consumption, add `--json` and read the returned `workspace_id`. Use `--seed-path` when
 you want the workspace to start from a host directory or a local `.tar` / `.tar.gz` / `.tgz`
 archive instead of an empty workspace. Use `pyro workspace sync push` when you want to import
-later host-side changes into a started workspace. Sync is non-atomic in `2.9.0`; if it fails
+later host-side changes into a started workspace. Sync is non-atomic in `2.10.0`; if it fails
 partway through, prefer `pyro workspace reset` to recover from `baseline` or one named snapshot.
 Use `pyro workspace diff` to compare the live `/workspace` tree to its immutable create-time
 baseline, and `pyro workspace export` to copy one changed file or directory back to the host. Use
@@ -255,6 +260,9 @@ persistent PTY session that keeps interactive shell state between calls. Use
 Typed readiness checks prefer `--ready-file`, `--ready-tcp`, or `--ready-http`; keep
 `--ready-command` as the escape hatch. Service metadata and logs live outside `/workspace`, so the
 internal service state does not appear in `pyro workspace diff` or `pyro workspace export`.
+Use `--network-policy egress` when the workspace needs outbound guest networking, and
+`--network-policy egress+published-ports` plus `workspace service start --publish` when one
+service must be probed from the host on `127.0.0.1`.
 Use `--secret` and `--secret-file` at workspace creation when the sandbox needs private tokens or
 config. Persisted secrets are materialized inside the guest at `/run/pyro-secrets/<name>`, and
 `--secret-env SECRET_NAME[=ENV_VAR]` maps one secret into one exec, shell, or service call without
@@ -430,7 +438,7 @@ Advanced lifecycle tools:
 
 Persistent workspace tools:
 
-- `workspace_create(environment, vcpu_count=1, mem_mib=1024, ttl_seconds=600, network=false, allow_host_compat=false, seed_path=null, secrets=null)`
+- `workspace_create(environment, vcpu_count=1, mem_mib=1024, ttl_seconds=600, network_policy="off", allow_host_compat=false, seed_path=null, secrets=null)`
 - `workspace_sync_push(workspace_id, source_path, dest="/workspace")`
 - `workspace_exec(workspace_id, command, timeout_seconds=30, secret_env=null)`
 - `workspace_export(workspace_id, path, output_path)`
@@ -439,7 +447,7 @@ Persistent workspace tools:
 - `snapshot_list(workspace_id)`
 - `snapshot_delete(workspace_id, snapshot_name)`
 - `workspace_reset(workspace_id, snapshot="baseline")`
-- `service_start(workspace_id, service_name, command, cwd="/workspace", readiness=null, ready_timeout_seconds=30, ready_interval_ms=500, secret_env=null)`
+- `service_start(workspace_id, service_name, command, cwd="/workspace", readiness=null, ready_timeout_seconds=30, ready_interval_ms=500, secret_env=null, published_ports=null)`
 - `service_list(workspace_id)`
 - `service_status(workspace_id, service_name)`
 - `service_logs(workspace_id, service_name, tail_lines=200)`